Moderator
t-p
(@t-p)
The plugins eventually get updated, but then I have to go in and remove the Maintenance file in order to be able to access the site again. This is so annoying
What plugin are you referring to “eventually get updated”?
Well, after getting the message that WP cannot open the page because of iFrame (which was not inside the admin area that I know of) it goes into Maintenance mode.
I have to go into my FTP to remove the dot file to regain access.
Then I see that the plugins meanwhile WERE updated.
But the pain in the butt is having it throw up that notice and go into Maintenance every time.
The original page that was iFramed was the front page… the plugins are Lite Speed and Hubbub.
To me, it sounds more like an update (of a plugin?) couldn’t be completed properly. In such a case, WordPress’s own maintenance mode remains active for the duration of these updates and is (I believe) automatically deactivated after a maximum of 15 minutes.
Just to be sure: you go to the backend, click on Updates, and install the pending plugin updates. Afterwards, maintenance mode remains activated and you have to reset it via FTP. Is that the way to do it?
If so, then:
- Check the error log in your hosting to see if an error occurred during the update. Your host’s support team can help you find the log.
- Check exactly which plugin you want to install an update for. Make a note of its version number before the update and check it again afterwards (i.e. once you have deactivated maintenance mode). If the version has not changed, no update has been installed and the above error has probably occurred.
You are welcome to post the error messages from the error log here. However, we also need to know which plugins you are using in order to be able to evaluate this.
The error message specifically mentions the iFrame. However, it was just the front page that was iFramed so I ‘m not sure why WP thinks the admin page was part of that.
I have seen several versions of the code to add to the htaccess file to stop iFrames but is there something else I have to erase to stop WP from thinking it is still iFramed?
In the background the plugins update just fine, but I ALWAYS have to go in and remove the maintenance dot file from the FTP in order to gain access. Then I see they were indeed updated.. so it’s not a problem with the plugins.
The plugins are LiteSpeed Cache and Hubbub
WordPress uses iframes for installing updates in the backend and also for the block editor. Blocking them on the server side is therefore not a good idea and could generally explain the problem. I would recommend avoiding such customizations in general. If they are set by your hosting provider, please contact your host’s support team for clarification.
What exactly does the error message say? You are also welcome to show us a screenshot of it, see:
Ok well that explains it!
I am going to remove the code from the htaccess file and see if that fixes it.
THANK YOU. I will get back to you with the results, which I won’t know until the next time those two plugins, the only ones I use, need updating.
there are two items in CSP, held in headers mod directives and in htaccess or httpd files… iframe and iframe ancestors.. one allows “them” to frame your site, and the other which sites you can frame.
Setting both to ‘self’ clears you hot to frame different parts of your page in, well, different parts of your page so long as its in the same home directory.. After that, be careful who you allow in and who you allow to frame your content. You can take this info and Google up a good set of rules… then, its a matter of seeing what’s broken via inspect/console errors in chrome, seeing what you need to allow by url, and deciding if you want to let them in/out, or not. This same holds true for other scripts such as fonts from cdns, js/jquery from other places, etc… all controlled within the CSP with different directives to specific use…
I dont rec you abandon your CSP especially if you’ve already been targeted before… just set it correctly… it takes minutes and will save days weeks and months of potential frustration.
-
This reply was modified 10 months, 1 week ago by
cfb51.
Thank you for this explanation although I’m still not clear on what exact code I should put in the htaccess file if any. This site is targeted as it is my State Senator and I am sure enemies would love to have access to mess it up.
I just updated a plugin, got that message, but by simply hitting the Updates button again, it took me back to the admin area, and the plugin updated fine and I did not get tossed into maintenance mode.
Thus I was saved from having to go into FTP and remove the dot maintenance file. So at least now I know it’s not anything malicious that is causing this.
If you really want to use CSP, you need to configure it correctly. What is “correct” depends heavily on the structure of your project and must always be done on an individual basis.
There are plugins that can help with this: https://ww.wp.xz.cn/plugins/tags/csp/
Alternatively, find someone to help you, e.g. here: https://jobs.wordpress.net
However, CSP is only one component of website security and has nothing to do with defending against attacks. CSP helps to ensure that only data and files approved by you are loaded for your visitors. It therefore provides security for visitors rather than for the website itself. To secure the website, I would recommend completely different methods, including a security plugin and, if necessary, protecting the admin area with AuthBasic (and no, I don’t think renaming wp-admin is a good idea).
I thank you for all this information as it’s been helpful. I am no longer getting that message now that I added the proper code to allow pages within the admin area to load even if they are iFrame.
I also thank you for showing me the jobs section, since I have another site that has problems I can’t fix. I’ve suggested to the owner that we hire someone with more expertise who can fix what is wrong.
I have gone as far as I can on it. It was a mess left to us by a reckless person who installed 60+ plugins but did not delete the ones not in use and thus was hacked.
